Hi GF,
context not getting updated is definitely concerning. If it's XS crashing, then we need to know and fix it, so if you're getting core dumps please open a support ticket and reference Extreme Search. If it's Splunk having to bail out and skip those searches, who knows what else is skipping. On ES that could mean time windows not being reviewed for whatever the correlation searches look for, which is potentially getting into due diligence and compliance stuff.
I do think that the question being asked here (do we have unusual traffic on this port) is a little questionable... in a lab you might see lots of activity in 1-1024 and a handful of apps (games, IM, fileshare, VOIP and videoconference) up in the high ports, but on a production network with thousands of real people using the real internet there's going to be a lot of churn as fashions change and apps evolve. Regardless of how it's implemented, an ML test is depending on the past predicting the future; as you're seeing, the data on a given high port is pretty erratic and doesn't really make a good prediction. It would probably be more interesting to ask if the data for a port is changing from erratic to stable or from stable to erratic... maybe instead of count of connections or bytes, something like "my data| fields bytes port action | fieldsummary | stats max(stdev) by port"??
... View more